Skip to content

M1041 Encrypt Sensitive Information

Protect sensitive information with strong encryption.

Item Value
ID M1041
Version 1.0
Created 11 June 2019
Last Modified 11 June 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1557 Adversary-in-the-Middle Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
enterprise T1557.002 ARP Cache Poisoning Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
enterprise T1119 Automated Collection Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. Strong passwords should be used on certain encrypted documents that use them to prevent offline cracking through Brute Force techniques.
enterprise T1020 Automated Exfiltration -
enterprise T1020.001 Traffic Duplication Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
enterprise T1530 Data from Cloud Storage Object Encrypt data stored at rest in cloud storage.34 Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.5
enterprise T1602 Data from Configuration Repository Configure SNMPv3 to use the highest level of security (authPriv) available.2
enterprise T1602.001 SNMP (MIB Dump) Configure SNMPv3 to use the highest level of security (authPriv) available.2
enterprise T1602.002 Network Device Configuration Dump Configure SNMPv3 to use the highest level of security (authPriv) available.2
enterprise T1565 Data Manipulation Consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
enterprise T1565.001 Stored Data Manipulation Consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
enterprise T1565.002 Transmitted Data Manipulation Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
enterprise T1114 Email Collection Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
enterprise T1114.001 Local Email Collection Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
enterprise T1114.002 Remote Email Collection Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
enterprise T1114.003 Email Forwarding Rule Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
enterprise T1070 Indicator Removal on Host Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
enterprise T1070.001 Clear Windows Event Logs Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
enterprise T1070.002 Clear Linux or Mac System Logs Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
enterprise T1040 Network Sniffing Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
enterprise T1003 OS Credential Dumping Ensure Domain Controller backups are properly secured.
enterprise T1003.003 NTDS Ensure Domain Controller backups are properly secured.6
enterprise T1558 Steal or Forge Kerberos Tickets Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.1
enterprise T1558.002 Silver Ticket Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.1
enterprise T1558.003 Kerberoasting Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.1
enterprise T1558.004 AS-REP Roasting Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.1
enterprise T1552 Unsecured Credentials When possible, store keys on separate cryptographic hardware instead of on the local system.
enterprise T1552.004 Private Keys When possible, store keys on separate cryptographic hardware instead of on the local system.
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.001 Application Access Token File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.

References

Back to top